Primary menu

Secondary menu

Palo Alto User-ID with macOS computers

When deploying Palo Alto User-ID feature, integrating macOS computers can be a challenge. User-ID has a lot of potential ways to catch the match user / IP address, but we are sometimes in the situation with macOS computers where we need to be creative. During our tests, I researched the best way to deploy reliable solutions that can be used with a large variety of macOS version. The information below shows the progress, but is not a “true” reference set in stone. They are there to indicate possible paths to follow during a deployment and give some ideas. Often macOS computers are not attached to the domain and not necessarily attached to a centralized management tool… I hope these few notes and references will help you:

Bind to Active Directory domain

The most common solution for Windows administrators would be to bind all macOS computers to Active Directory domain with the standard tools offered by Apple. The main problem with this solution is if your computers aren’t already bound when you made the choice to deploy User-ID, you need to migrate all local user accounts to Active Directory accounts. Depending on how your company is deploying computers, this is not really conceivable and can be a challenge more. In our case this choice was too complicated because our macOS computers were not bound to Active Directory domain.

Pros

Standard method supported by Apple

No cost

Cons

Perhaps difficult/long to implement

NoMAD

When binding the computer to Active Directory is too complicated, it’s possible to try a solution like NoMAD. NoMAD is a software that gives some Active Directory possibilities like the way to “sign-in” to the domain without affecting the local user account. This login to the domain is detected by the Palo Alto User-ID in the security log of domain controllers and is easy to deploy. NoMAD is ready to be managed by standard management tools using plist editing. It was our choice, because our macOS computers aren’t bound to Active Directory and the possibility to get premium support is a real advantage.

Pros

Easy to deploy and can be realized very quickly

Support plans can be purchased

Cons

Software more to manage

Custom script

Using the syslog capability of User-ID, you can create a local script that will be deployed to all macOS computers that will affected to the task of sending the match username / IP to a syslog server. The syslog server will pass the information to the Palo Alto firewalls. This setup is a little more complicated because you need a server affected to this task and some specific scripting matching your company needs. This is very similar to a precedent post that explains how to use User-ID with a Cisco Wireless Controller, in this scenario, replace the WLC by the local script deployed on your macOS computers (note that this post is deprecated).
The script itself is not enough, you need to setup your server to get messages by syslog/snmp/api and resent this information through syslog. In the script below we’re using snmp, because this server was already setup to catch user ID for other equipment using this protocol and resend these messages to Palo Alto User-ID with syslog.

Captive portal

The last possibility if no other solution is conceivable, remains the solution of using the captive portal. This is the recommended option for macOS computers and Linux computers. In my opinion, this is not a user-friendly choice, users don’t like things like that and it can be a source of more support to the helpdesk. But it’s a working solution and supported by Palo Alto Networks, so you need to take this as a possibility.